Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why EMV is Important, But Makes You No Less Immune to a Breach

Starting next week, brick-and-mortar merchants in the United States must be ready to accept EMV (chip-based) credit and debit cards. If not, they - and not the card issuer - will become responsible for the liability resulting from fraudulent transactions.

(EDITOR'S NOTE: There are some exceptions to the rule, so it's always a good idea to ask your bank, acquirer and processor what your EMV responsibilities are and what your liability is.)

EMV - which stands for Europay, MasterCard and Visa, but is now managed by EMVCo - is a standard that makes payment cards nearly impossible to copy, meaning merchants can significantly reduce the possibility of accepting counterfeit cards. Unlike with traditional cards where data is encoded on magnetic stripes, EMV moves the sensitive data to an embedded microprocessor chip, which creates a unique transaction code for each purchase to perform authentication, verification and authorization.

The EMV standard, which is sometimes called chip-and-PIN or chip-and-signature, has existed for many years in some 80 other countries - most commonly in Europe and Canada - but makes up just a tiny fraction of the credit card transactions in the United States. Thus it's not a huge surprise that with an Oct. 1 deadline rapidly nearing, the majority of U.S. merchants (many of them small and midsize companies) are not EMV-ready. Meanwhile, more than half of American consumers don't know what a chip card is, never mind have received one.

EMV has been widely successful in trimming down fraud on face-to-face transaction, with European Union countries reportedly seeing an 80 percent reduction in card-present fraud since the standard was deployed. However, EMV won't signal the end of financial deception anytime soon.

With a new challenge staring them in the face, cybercriminals undoubtedly will get better at creating counterfeit chip cards and compromising EMV card readers. But what's far likelier - at least in the short term - is that fraud simply will shift to another channel, as for example, was evidenced in the U.K. which saw online, or card-not-present, fraud soar dramatically after the introduction of EMV because no chip is required during purchase. And experts said a similar fate awaits the United States, where research firm Aite Group predicts online fraud will more than double between 2015 and 2018.

But a bigger point to hammer home is that while the EMV standard may limit fraud or force it to migrate somewhere else, it won't stop credit card theft from happening in the first place. Breaches will still continue to roll in, and the retail industry will remain one of the biggest targets, especially e-commerce companies.

As Trustwave VP of Managed Security Testing Charles Henderson said recently: "From a criminal's perspective, if I'm going to look for cards I can use in card-not-present fraud, I'm going to look for a card-not-present target. This should be the million-dollar eureka moment for card-not-present retailers. That's why they should be paying attention."

While EMV is an important step to take to hamper consumer fraud (and limit your own liability), you should also ensure you have implemented a layered breach defense to help derail a successful attack on your company. If you lack the in-house resources and expertise to do it yourself, you may consider turning to a trusted managed security services provider for help on all or some of your data protection.

Regardless of the delivery model, your defense strategy should include:

Security Testing

Weak passwords and weak remote access (which contributed to 94 percent of point-of-sale breaches that Trustwave investigated last year) are just two of many exposure points you need to evaluate in order to stymie data breaches. Conducting regular vulnerability scanning and penetration testing across databases, networks, and applications can allow you to identify these deficient areas and make yourself a far less attractive target.

Web Security Gateway

Custom-designed malware that sniffs for credit card numbers is commonly unleashed into cardholder environments during compromises as a way to exfiltrate the targeted data. You should turn to a solution that can identify and block advanced malware and zero-day threats in real time.

Threat Management

You also need to be alerted as early as possible to threats so you can limit damage and losses. SIEM solutions can help you quickly understand what the intruders have accomplished, which systems they have compromised and how to halt them in their tracks before they can impart any further damage.

Encryption/Tokenization

End-to-end encryption takes EMV a step further by encrypting the data at the moment it enters the environment, typically at the swipe/tap/input. Tokenization permits you to store tokens of your customer's payment data, facilitating processes like recurring and subsequent billing, without the risk of storing your customer's actual payment card data, which is instead stored securely in a third-party facility.

Web Application Firewall

Website security is already critical for e-commerce vendors and may become even more important as it becomes more difficult to commit fraud in card-present environments. Web application firewalls inspect web traffic and block common web attacks, like cross-site scripting and SQL injection.

Security Education Awareness

 In many cases, employees and vendors (or other third-parties) are the source of a data compromise. For example, they click on an email attachment or follow a link that invites malware onto their internal workstation and laterally moves through the corporate network. To make them less prone to falling for a ruse, these workers must be trained regularly on acceptable use and incident response. Remember, you're only as strong as your weakest link.

Two-Factor Authentication

EMV makes it harder to clone a physical card. But as we've said, it won't apply to or help web-based retailers, so they'll have to consider alternatives for verifying transactions as legitimate. One option is to deploy an additional authentication step, such as requiring the customer to enter something only they know, like an online PIN.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

6725_2c0f146e-8bea-43de-9055-6054c2027e91      

Latest Trustwave Blogs

Trustwave Named a Representative Vendor in 2024 Gartner® Market Guide for Co-Managed Security Monitoring Services

Trustwave has been named a Representative Vendor in Gartner just released the 2024 Market Guide for Co-Managed Security Monitoring Services. Gartner estimates that there are more than 500 vendors who...

Read More

Navigating Security Risks and Innovations in the Hospitality Industry

As technology has become available, the hospitality industry has focused on making the most out of innovations such as contactless services and eco-friendly practices.

Read More

Frost & Sullivan: Trustwave MDR Growth Will Exceed Industry Average

The security analyst firm Frost & Sullivan positioned Trustwave as a leader and top innovator in its research on the MDR market landscape, noting its innovative, industry-leading cloud-native Fusion...

Read More